You might try squid_kerb_auth which uses Negotiate/Kerberos instead of NTLM
or Negotiate/NTLM.
Markus
Matias Chris [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Henrik,
I have tried LDAP authentication in the past and stop using it becouse
of the passwords being sent in clear
I did implement recursive group search in squid_kerb_ldap at
http://sourceforge.net/project/showfiles.php?group_id=196348.
Markus
Henrik Nordstrom [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
mån 2008-11-24 klockan 13:04 -0800 skrev Mike Ely:
directly a member of the acl
Benedict simon si...@kmun.gov.kw wrote in message
news:dde908b0d0e692cbfa0d7d7490dce7f2.squir...@webmail.baladia.gov.kw...
Dear Amos,
Thanks and really apprecite for ur quick reply
i will try the link and n check it out.
me too a novice in Ldap n not a professional in ADS
regards
simon
In more detail the required steps for squid_kerb_auth (from
https://sourceforge.net/project/showfiles.php?group_id=196348 or from latest
squid distribution) are:
1) Install kerberos client package
2) Install msktutil package from
http://dag.wieers.com/rpm/packages/msktutil/
3) Configure
Is it possible to subscribe to the mailing list without receiving the mails.
I would prefer that as I usually go via the gmane news server.
Thank you
Markus
- Original Message -
From: Amos Jeffries squ...@treenet.co.nz
To: Markus Moeller hua...@moeller.plus.com
Cc: squid-users@squid-cache.org
Sent: Sunday, March 22, 2009 12:28 AM
Subject: Re: [squid-users] Re: AD authentiction with squid
Markus Moeller wrote:
In more detail the required
Can you send me the following;
fqdn
hostname
klist -kt squid.keytab ( If you use MIT Kerberos)
Does you startup script set the KRB5_KTNAME environment variable ?
Can you do a successful kinit -k squid.keytab HTTP/hostname ?
Can you add a -d to squid_kerb_auth and send me the output ?
- Original Message -
From: Truth Seeker truth_seeker_3...@yahoo.com
To: Markus Moeller hua...@moeller.plus.com
Cc: Squid maillist squid-users@squid-cache.org
Sent: Wednesday, June 03, 2009 7:39 PM
Subject: Re: [squid-users] Re: Squid + Kerberos + Active Directory
Dear Markus,
Really
Truth Seeker truth_seeker_3...@yahoo.com wrote in message
news:666179.84807...@web43402.mail.sp1.yahoo.com...
Dear Markus,
please look in to the following informations;
[r...@linuxproxy ~]# kinit -k -t HTTP.keytab HTTP/linuxproxy.panasonic.com
kinit(v5): No such file or directory while
truth_seeker_3...@yahoo.com wrote in message
news:549528.19551...@web43413.mail.sp1.yahoo.com...
Dear Markus,
First of all i disabled the debug_options ALL,1 33,2 28,9 in squid.conf.
Then when i reloaded the squid service, i was looking in all the log files
where it will reflect anything
Truth Seeker truth_seeker_3...@yahoo.com wrote in message
news:717858.78957...@web43416.mail.sp1.yahoo.com...
Dear Markus,
One more finding... when i issued the command klist.. i feel like
something is wrong. pls look below;
[r...@linuxproxy ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
- Original Message -
From: Truth Seeker truth_seeker_3...@yahoo.com
To: Markus Moeller hua...@moeller.plus.com
Cc: Squid maillist squid-users@squid-cache.org
Sent: Sunday, June 07, 2009 10:23 AM
Subject: Re: [squid-users] Re: Re: Re: Squid + Kerberos + Active Directory
Dear Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:h0gs7v$mk...@ger.gmane.org...
- Original Message -
From: Truth Seeker truth_seeker_3...@yahoo.com
To: Markus Moeller hua...@moeller.plus.com
Cc: Squid maillist squid-users@squid-cache.org
Sent: Sunday, June 07, 2009 10:23
Hi,
TBH I haven't had yet a chance to do performance testing of my helper.
What you are seeing is the Kerberos replay protection cache. HTTP is the
part of the service principal and 501 is the uid of the process. Depending
on the request/sec it can be quite a bit as each request will be
Could you add the following to your squid startup script ?
export KRB5RCACHETYPE=none
This should disable the cache and I don't think it is a big security risk.
Could you report back if this improves the CPU load ?
Thank you very much
Markus
Markus Moeller hua...@moeller.plus.com wrote
BTW What is your request/sec rate so that I can judge better if it is a
general low, medium or high squid load ?
Thank you
Markus
J.J. jayjay...@gmx.de wrote in message
news:20090624140826.52...@gmx.net...
hi Everybody!
i have a problem with authentication helper squid_kerb_auth.
It's
Is it allowed to use a content length with a CONNECT method to a proxy ?
If so how must the proxy reply ? Acknowledge the connect request immediately
and then receive the data or wait for he data before acknowledging the
connect request ?
Thank you
Markus
I get the following compile error on Opensolaris. How can I fix this ?
Thank you
Markus
# uname -a
SunOS opensolaris 5.11 snv_109 i86pc i386 i86pc
# cc -V
cc: Sun C 5.9 SunOS_i386 Patch 124868-07 2008/10/07
usage: cc [ options] files. Use 'cc -flags' for details
source='comm.cc'
...@treenet.co.nz...
Markus Moeller wrote:
I get the following compile error on Opensolaris. How can I fix this ?
Thank you
Markus
# uname -a
SunOS opensolaris 5.11 snv_109 i86pc i386 i86pc
# cc -V
cc: Sun C 5.9 SunOS_i386 Patch 124868-07 2008/10/07
usage: cc [ options] files. Use 'cc -flags
errors. No output written to ufsdump
Thank you
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:h4hlvp$1t...@ger.gmane.org...
OK removing private: from the definition seems to work. Not sure how
important the warnings are.
CC -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\/usr/local
Hi Daniel,
Did you see any configure errors for gssapi.h ?
Markus
Daniel sq...@zoomemail.com wrote in message
news:001301ca19fe$9f450a50$ddcf1e...@com...
Good afternoon,
In my attempt to get Squid on our SLES 11 box authenticating with
Kerberos (negotiate), I used the following to
The config.log file is in helpers/negotiate_auth/squid_kerb_auth/ . 3.1
runs a configure in that directory. Not sure if it should be moved into the
main configure as now done in 2.7 and 3.0.
Markus
Amos Jeffries squ...@treenet.co.nz wrote in message
news:4a862fb9.6050...@treenet.co.nz...
PM
To: Daniel
Cc: 'Markus Moeller'; squid-users@squid-cache.org
Subject: Re: [squid-users] Re: Kerberos Authentication - Squid 3.1.0.13
Daniel wrote:
Markus,
First, please correct me if I'm wrong but I looked for 'gssapi.h' in
config.log and I'm assuming that config.log contains all the log
Henrik Nordstrom hen...@henriknordstrom.net wrote in message
news:1250627594.12999.2.ca...@henriknordstrom.net...
tis 2009-08-18 klockan 15:42 -0400 skrev Daniel:
Gentlemen,
I realize that my question has morphed into a general SLES question,
so I won't keep this chain going forever. Here's
...@ger.gmane.org] On Behalf Of Markus Moeller
Sent: Tuesday, August 18, 2009 5:27 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Re: Re: Kerberos Authentication - Squid 3.1.0.13
Henrik Nordstrom hen...@henriknordstrom.net wrote in message
news:1250627594.12999.2.ca...@henriknordstrom.net...
tis 2009
/man1/krb5-send-pr.1.gz
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:h6hv53$dd...@ger.gmane.org...
You should be able to download the following SUSE Linux Enterprise 11
Software Development Kit e-Media Kit from here
http://developer.novell.com/wiki/index.php/SLES_SDK
I think you use the wrong keytab. Did you expoert KRB5_KTNAME in the startup
script ?
You store the key in HTTP.keytab but squid tries /etc/krb5.keytab (the
default).
Markus
Eugene M. Zheganin e...@norma.perm.ru wrote in message
news:4a8a459e.3060...@norma.perm.ru...
Hi.
I'm trying to
Did you set the environment variable KRB5_KTNAME to your HTTP.keytab
location otherwise the default /etc/krb5.keytab will be used ?
Markus
Mrvka Andreas m...@tuv.at wrote in message
news:200908241355.23393@tuv.at...
Hi list,
I want to use this brilliant software squid but do you know
Jeremy Monnet jmon...@gmail.com wrote in message
news:2b1bd02c0908251050i6e63cecaxeb29ceecd2a84...@mail.gmail.com...
Hi,
I a m trying to authenticate users through kerberos on a windows 2003
server AD. Basically, I followed the klaubert tutorial [1], part on
Negotiate/kerberos authentication.
I added some comments to the wiki.
Thank you
Markus
Mrvka Andreas m...@tuv.at wrote in message
news:200908251055.04159@tuv.at...
Hi again,
I've found my error myself.
Using this howto from Guido:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
works great at my site
What Kerberos library do you use ? Heimdal 1.0.1 ?
Markus
Jeremy Monnet jmon...@gmail.com wrote in message
news:2b1bd02c0908260903w19691f69v83c2af6b1b140...@mail.gmail.com...
On Wed, Aug 26, 2009 at 12:35 AM, Jeremy Monnetjmon...@gmail.com wrote:
This will create 200 authentication
Jeremy Monnet jmon...@gmail.com wrote in message
news:2b1bd02c0908270702p7f8d7936lcfb43c52aae79...@mail.gmail.com...
Hi again,
On Thu, Aug 27, 2009 at 12:40 PM, Jeremy Monnetjmon...@gmail.com wrote:
On Thu, Aug 27, 2009 at 9:28 AM, Mrvka Andreasm...@tuv.at wrote:
Am Donnerstag, 27. August
Jeremy Monnet jmon...@gmail.com wrote in message
news:2b1bd02c0908270340g5bfb8b9fqa9842e0fd1851...@mail.gmail.com...
On Thu, Aug 27, 2009 at 9:28 AM, Mrvka Andreasm...@tuv.at wrote:
Hi,
Am Donnerstag, 27. August 2009 08:40:53 schrieb Jeremy Monnet:
Would you have any clue to what the
Jeremy Monnet jmon...@gmail.com wrote in message
news:2b1bd02c0908270649w206c197ci996bef4ce86cc...@mail.gmail.com...
Hi,
Looking at the configuration examples, I see there are several ways to
authenticate against AD. If I don't make a mystake :
- squid_kerb_auth
Is it possible that you allow CONNECT without authentication ? A
configuration error ?
Markus
- Original Message -
From: Wojciech Dudys wdu...@gmail.com
To: Markus Moeller hua...@moeller.plus.com
Sent: Thursday, August 27, 2009 8:47 AM
Subject: Re: [squid-users] Re: squid_kerb_auth
-
From: Wojciech Dudys wdu...@gmail.com
To: Markus Moeller hua...@moeller.plus.com
Sent: Thursday, August 27, 2009 8:16 PM
Subject: Re: [squid-users] Re: squid_kerb_auth and access.log issue
My configuration is very simple. I just added those lines to the
default squid.conf file
auth_param
Do you use IE ? If so did you check HTTP 1.1 through proxies ? Do you have
the destination in the right IE zone ? If I remember right you can use IWA
only to sites in the Intranet zone or trusted sites. Also older IEs may not
support IWA via proxies. And the proxy need to add Proxy-support:
I finally could look more into Windows 2008 and I found some unusal
behaviour. Firstly you need hotfix 951191 and possibly
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc]
KdcUseRequestedEtypesForTickets=dword:0001
Secondly it looks like 2008 creates the HTTP principal out of a
Could you post an extract of cache.log showing the squid_kerb_auth and
squid_kerb_ldap entries.
Markus
Chris Richardson cric...@gmail.com wrote in message
news:af01ca210908311222m104d2d2amdef43eca8e695...@mail.gmail.com...
Hi everyone here is what i am tring to do i want to use kerb for SSO
Please post extracts of the cache.log file. both squid_kerb-auth and
squid_kerb_ldap produce lots of debug with -d.
Regards
Markus
Дмитрий Нестеркин undelb...@gmail.com wrote in message
news:cf132a050909010041x59898e38naa49ca3eab974...@mail.gmail.com...
I'm trying to configure Kerberos
squid_kerb_auth should be able to handel two AD Forests without trust. Use
the -s GSS_C_NO_NAME and add keys from both ADs to the keytab.
Regards
Markus
Guido Serassio guido.seras...@acmeconsulting.it wrote in message
news:58fd293ce494af419a59ef7e597fa4e6393...@hermes.acmeconsulting.loc...
Markus Moeller hua...@moeller.plus.com wrote in message
news:h7bduh$l5...@ger.gmane.org...
I finally could look more into Windows 2008 and I found some unusal
behaviour. Firstly you need hotfix 951191 and possibly
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc
??? ? undelb...@gmail.com wrote in message
news:cf132a050909030128ke05b19bl5cfc7e0f6ac81...@mail.gmail.com...
I've configured Kerberos authentication for users in AD, but there is
one problem: after half an hour IE7 forgets about Kerberos and tries
to use NTLM. User have to restart
What method did you try for AD authentication ?
Markus
vikas rawat rawat.vi...@gmail.com wrote in message
news:d1392a280909140858v38a17373x6675900322a0a...@mail.gmail.com...
Dear All,
I have configured SQUID in Linux RHEL with NCSA authentication, is
there any option users can changed their
Can you send me the cache.log entries ?
Can you do a kinit -kt /etc/squid/HTTP.keytab HTTP/f...@domain ?
Can you capture with wireshark the traffic on port 88 on the kdc when doing
kinit ?
Did you clear the cache on the Windows client using the Windows klist or
kerbtray from the resource
had to wait that the message key version incorrect
disappeared in cache.log.
Maybe the client cache is really important
Yes it is.
Regards
Andrew
Am Dienstag, 22. September 2009 22:33:48 schrieb Markus Moeller:
Can you send me the cache.log entries ?
Can you do a kinit -kt /etc/squid
Henrik Nordstrom hen...@henriknordstrom.net wrote in message
news:1253822657.5592.1.ca...@localhost.localdomain...
tor 2009-09-24 klockan 10:09 +0200 skrev Mrvka Andreas:
You are right - I have to use NTLM too because there are many IE 6
around.
But I use the same name for kerberos_auth and
-users use net ads join and want to
implement
kerberos too.
Regards
Andrew
Am Freitag, 25. September 2009 01:07:44 schrieb Markus Moeller:
Henrik Nordstrom hen...@henriknordstrom.net wrote in message
news:1253822657.5592.1.ca...@localhost.localdomain...
tor 2009-09-24 klockan 10:09 +0200 skrev
the rest. :-)
Thanks for support.
I can imagine lots of other squid-users use net ads join and want to
implement
kerberos too.
Regards
Andrew
Am Freitag, 25. September 2009 01:07:44 schrieb Markus Moeller:
Henrik Nordstrom hen...@henriknordstrom.net wrote in message
news:1253822657.5592.1.ca
Mrvka Andreas m...@tuv.at wrote in message
news:200909281546.30273@tuv.at...
Hello Markus,
I thought there will be more changes in wiki than what you have written.
You write about either use msktutil or net ads... but not both.
You can use both, but I try to avoid confusion (not sure
squid_kerb-auth should work.
Markus
Ron Richardson rrichard...@liverpool.k12.ny.us wrote in message
news:fc.000f714603d9ae87000f714603d9ae87.3d9a...@liverpool.k12.ny.us...
Has anyone put Kerberos authentication into the MacPort of Squid? If so,
would you care to share how you did it?
If
You can list as many as you like. You can also use DNS srv records which AD
usually defines automatically ( if you run DNS on it too)
Also squid does not require any kdc. The client does all the communication
to AD (That is why Kerberos should perform better then NTLM)
Regards
Markus
Mrvka
What do you mean with maintain a windows account ? You usually create it
once. If you run squid on Windows you don't need a keytab.
Regards
Markus
Joseph L. Casale jcas...@activenetwerx.com wrote in message
news:abf9510930e1374ba4b4c61a01104fbdb60...@monterossa.activenetwerx.local...
To
Use a computer account not a user account. msktutil for example does that
for you.
Markus
Joseph L. Casale jcas...@activenetwerx.com wrote in message
news:abf9510930e1374ba4b4c61a01104fbdb61...@monterossa.activenetwerx.local...
What do you mean with maintain a windows account ? You usually
If you use squid_kerb_auth you can configure it to do Kerberos
authentication for both domains. To do so use squid_kerb_auth with the
option -s GSS_C_NO_NAME and add a principal HTTP/squid fqdn@WIN.DOM to
the keytab.
To do this create a krb5_WIN.conf file like below and export
Does anybody know how a Windows client determines the right authentication
mechanism ? I have a case where most clients are on a Windows domain and
squid_kerb_auth works fine. Now I have clients from visitors which have
never been on the domain. Can I send to these clients a list of
Henrik Nordstrom hen...@henriknordstrom.net wrote in message
news:1257212761.2980.2.ca...@localhost.localdomain...
mån 2009-11-02 klockan 23:42 +1300 skrev Amos Jeffries:
IME, I think sending the correct realm or domain in the NTLM or
Negotiate auth headers may prevent clients attempting
Henrik Nordstrom hen...@henriknordstrom.net wrote in message
news:1257278257.20561.5.ca...@localhost.localdomain...
tis 2009-11-03 klockan 19:44 + skrev Markus Moeller:
But how would that work if the guest uses his own machine e.g. Kerberos
(no
ticket available) nor NTLM (no shared
Amos Jeffries squ...@treenet.co.nz wrote in message
news:4b0874ac.7010...@treenet.co.nz...
Gerson fserve Barreiros wrote:
How to block ultrasurf, thor and similars using squind in transparent
mode?
Haven't heard of Thor. What does it do? references please.
I think he means
Did you set the environment variable KRB5_KTNAME correctly to
FILE:/etc/squid/HTTP.keytab in the squid statup file ? Does the squid
process have read permissions on the keytab ?
Can you squid_kerb_auth with one child and use strace against it to check
for any access errors ?
Markus
Andrew
Extra Fu extr...@gmail.com wrote in message
news:11be40100911281444x673710b7w26a337d24549...@mail.gmail.com...
Hello,
I'm considering dropping the use of NTLM in favor of Kerberos
(auth_param negotiate) to authenticate users against my AD 2003
server. To do this, I would like to use the
Why you don't try Negotiate/Kerberos ?
Markus
torcaz99 torca...@hotmail.com wrote in message
news:27060215.p...@talk.nabble.com...
Hallo:
I'm trying to authenticate my Firefox(Linux) to Squid (Linux) using NTLM
without having to type my domain/user and password.
What I have:
-
Negotiate keep popping up .. :/
Regards
Malte Schröder
On Sat, 21 Jun 2008 13:45:33 +0100
Markus Moeller hua...@moeller.plus.com wrote:
Thank you for the offer. I posted on the 14th June a problem with my
ntlm_auth setup. Once I have solved that I think I know how to put
ntlm_auth
together
Can you check with an ldap query (e.g. with ldapadmin from sourceforge) or
search with a filter (serviceprincipalname=HTTP/f...@realm) if you have
duplicate entries ?
This kinit -k -t /etc/squid/squid.keytab HTTP/f...@realm.kerberos will only
work if the userprincipal name is
that will help me with this?
Sorry for being a pain and thanks again.
Regards
Umesh
2010/1/13 Markus Moeller hua...@moeller.plus.com:
Can you check with an ldap query (e.g. with ldapadmin from sourceforge) or
search with a filter (serviceprincipalname=HTTP/f...@realm) if you have
duplicate
should it be the
fqdn (proxy1.domain.com)?
Regards
Umesh
2010/1/13 Markus Moeller hua...@moeller.plus.com:
On AD you can use ADSIEDIT (
http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to
search for entries and delete,modify them. The best instructions are
http://wiki.squid
?
Regards
Umesh
2010/1/15 Markus Moeller hua...@moeller.plus.com:
Sorry I forgot to say that you have to do a kinit adu...@realm before you
issue the kvno command. Did you use the sambe netjoin command to create
the as account and the keytab ?
Markus
Umesh Bodalina u.bodal...@gmail.com wrote
'YIICPQYGKwYBBQUCoIICMTCCAi2gHzAdBgkq...' (decoded length: 577).
AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg== mar...@suse.home
2010/01/15 14:40:29| squid_kerb_auth: AF oRQwEqADCgEAoQsGCSqGSIb3EgECAg==
mar...@suse.home
Regards
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:hipnhp$hs
gss_accept_sec_context() failed: Unspecified GSS failure. Minor
code may provide more information. No error
Any ideas?
Regards
Umesh
2010/1/15 Markus Moeller hua...@moeller.plus.com:
There should be a squid_kerb_auth_test application in the same source
directory as squid_kerb_auth.
Do a kinit u...@domain
-GB:official
is DENIED, because it matched 'password'
My acl for this was:
'http_access deny !password'
Regards
Umesh
2010/1/16 Markus Moeller hua...@moeller.plus.com:
Can you check your DNS you should get for
nslookup name an ip
and for the reverse
nslookup ip the same name.
Which Kerberos
Can you run squid_kerb_auth with -d and send me the output please ?
Markus
Jose Lopes jlo...@iportalmais.pt wrote in message
news:4b545789.1090...@iportalmais.pt...
Hi,
I'm trying to get the squid helper squid_kerb_auth to work against our
Active Directory (win 2003 r2).
I'm using squid
put kerberos as first iteration?
Thanks in advance
Regards
Jose
Markus Moeller wrote:
The message parseNegTokenInit failed with rc=102 just means the token
is not a GSSAPI token wrapped in a SPNEGO token, but a plain GSSAPI
token. When you use firefox you have to do a kinit first to store
the user principal and the service principal
HTTP/squid.domain.
- At port 88 there are a TGS-REQ and a TGS-REP
- It works
Regards
Jose
Markus Moeller wrote:
Hi Jose
Can you install kerbtray from the resource kit
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE
. But firefox deny the second try.
And i don't know how to sort out this problem.
Regards
Jose
Markus Moeller wrote:
Firstly for non domain members you can not get SSO with
Negotiate/Kerberos (as far as I know). When you get the popup
asking for a username/password and you provide u...@domain
If you use squid_kerb_auth use the -d option which will give a lot of debug
in cache.log.
Markus
nickcx ncairncr...@condenast.co.uk wrote in message
news:1264161465938-1099974.p...@n4.nabble.com...
hi,
I'm brand new to linux, squid etc as of 10 days ago but have got my squid
3
stable 20
BTW You shouldn't use anymore DES encryption as it is too weak and will be
disabled in future Kerberos libraries (as you have noticed in windows 7).
Use RC4 or AES.
Markus
Mike Bordignon (GMI) m...@gmi.co.nz wrote in message
news:4b676552.20...@gmi.co.nz...
No matter - this was the problem
via
Kerberos
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Date: 2/02/2010 7:21 p.m.
BTW You shouldn't use anymore DES encryption as it is too weak and will
be disabled in future Kerberos libraries (as you have noticed in windows
7). Use RC4 or AES.
Markus
Mike
provide more information. Key
version number for principal in key table is incorrect
Original Message
Subject: [squid-users] Re: Re: Unable to get Firefox to authenticate via
Kerberos
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Date: 3/02/2010 11
Can you run squid_kerb_ldap with strace -f -F to see when the permission
deny happens ? Just write a script squid_kerb_ldap_sh
#/bin/sh
strace -f -F -o /tmp/strace.out.$$ squid_kerb_ldap $*
and change your config file to use that script.
/tmp/strace.out.xxx should show where the permission
If you have only a directory not an executable then you don't really have
squid_kerb_ldap installed.
The script is a standalone script somewhere on your filesystem accesible by
the squid process.
Markus
Ralf Fruehauf r.fruehwa...@googlemail.com wrote in message
:03, schrieb Markus Moeller:
If you have only a directory not an executable then you don't really
have squid_kerb_ldap installed.
The script is a standalone script somewhere on your filesystem accesible
by the squid process.
Markus
Ralf Fruehauf r.fruehwa...@googlemail.com wrote in message
You need the ldap and sasl development packages.
Markus
Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message
news:c7b3f825.1bb93%nick.cairncr...@condenast.co.uk...
Henrik,
Thanks for the pointers - I have added the missing dependencies. Now I
receive the following. The results
Continuation needed means that the GSSAPI exchange has not finished and the
server needs more data from the client. Can you see in wireshark if the
token length is the one squid_kerb_auth says it is
squid_kerb_auth: Got 'YRYI...' from squid (length: 3607)
Markus
Fabian Hugelshofer
You will also need a cyrus-sasl-gssapi package to run squid_kerb_ldap with
SASL/GSSAPI authentication to AD or Openldap.
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
news:hmmmuv$ie...@dough.gmane.org...
You need the ldap and sasl development packages.
Markus
Nick
...@open.ch wrote in message
news:4b8fdb2e.5000...@open.ch...
Markus Moeller wrote:
Continuation needed means that the GSSAPI exchange has not finished and
the server needs more data from the client. Can you see in wireshark if
the token length is the one squid_kerb_auth says
missing something straight-forward..
Nickcx
On 03/03/2010 23:56, Markus Moeller hua...@moeller.plus.com wrote:
You will also need a cyrus-sasl-gssapi package to run squid_kerb_ldap with
SASL/GSSAPI authentication to AD or Openldap.
Markus
Markus Moeller hua...@moeller.plus.com wrote in message
Some more comments below:
Fabian Hugelshofer f...@open.ch wrote in message
news:4b8fdb2e.5000...@open.ch...
Markus Moeller wrote:
Continuation needed means that the GSSAPI exchange has not finished and
the server needs more data from the client. Can you see in wireshark if
the token length
How did you create the keytab ?
Markus
Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message
news:c7ce8144.1d5e1%nick.cairncr...@condenast.co.uk...
Hi,
I'm concerned by a problem with my HTTP.keytab 'expiring'. My test base have
reported a problem to me that they are prompted
is readable by the squid process owner e.g. chgrp
squid /etc/squid/HTTP.keytab; chmod g+r /etc/squid/HTTP.keytab )
Is there another way to do this (or have I done it wrong)
Nick
On 24/03/2010 23:45, Markus Moeller hua...@moeller.plus.com wrote:
How did you create the keytab ?
Markus
Nick
Matt Richards m...@mattstone.net wrote in message
news:4bac89a7.3050...@mattstone.net...
Hello,
Does anybody know if any technique or application that will allow
windows machines (XP and 7) to authenticate against a proxy when
applications don't support proxy authentication.
What I am
I may misunderstood what you said, but there is no caching of
authentication for Kerberos nor Basic/Digest. I think the TTL you talk about
is for authorisation.
Markus
Khaled Blah khaled.b...@googlemail.com wrote in message
news:4a3250ab1003290408q72ec495an7d04934d527c3...@mail.gmail.com...
Did you try -r with squid_kerb_auth ?
Markus
Nick Cairncross nick.cairncr...@condenast.co.uk wrote in message
news:c7d69a71.1dc21%nick.cairncr...@condenast.co.uk...
Hi,
I just wanted to give this a bump; Is it possible to manipulate the
(Kerberos-authenticated) username that gets sent to my
10/10 'squid_kerb_auth'
processes
(squid_kerb_auth): invalid option -- r
Did I misunderstand?
I'm using Squid 3.0 stable 20 - I'm not sure what version the
squid_kerb_auth that comes with it is.
Thanks,
Nick
On 29/03/2010 22:16, Markus Moeller hua...@moeller.plus.com wrote:
Did you try -r
Have a look at
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos and
http://sourceforge.net/projects/squidkerbauth/files/squidkerbldap/squid_kerb_ldap-1.2.1/squid_kerb_ldap-1.2.1.tar.gz/download
Regards
Markus
GIGO . gi...@msn.com wrote in message
Henrik Nordström hen...@henriknordstrom.net wrote in message
news:1270330950.9955.60.ca...@localhost.localdomain...
lör 2010-03-27 klockan 18:42 +0100 skrev Khaled Blah:
Hi all,
I'm developing an authentication helper (Negotiate/NTLM) for squid and
I am trying to understand more how squid
Hi Bilal,
It is a bit more complicated. it is not a pure Kerberos authentication but
a Negotiate/Kerberos authentication.
If you have a Windows client and the proxy send WWW-Proxy-Authorize:
Negotiate the Windows client will try first to get a Kerberos ticket and if
that succeeds sends a
Sorry I knew that but forgot to mention that I was talking about the Unix
version.
Thank you
Markus
Guido Serassio guido.seras...@acmeconsulting.it wrote in message
news:58fd293ce494af419a59ef7e597fa4e6400...@hermes.acmeconsulting.loc...
Hi Markus,
If you have a Windows client and the
Hi Bilal,
When you use Negotiate you can not control if the client uses
Negotiate/Kerberos or Negotiate/NTLM. You have to use pure NTLM as the auth
option to guarantee NTLM.
Regards
Markus
GIGO . gi...@msn.com wrote in message
news:snt134-w53ecc1acc0c9b74476d649b9...@phx.gbl...
Hi All,
BTW You do not need Administrator rights. You can set permission for
different Groups on OUs for example for Unix Kerberos Admins.
Markus
Khaled Blah khaled.b...@googlemail.com wrote in message
news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com...
Hi Bilal,
1. ktpass and
Hi Nick,
Did you use samba to create the keytab. I have seen that if you use samba
for more then squid (e.g. cifs, winbind, etc) it will update regularly the
AD entry and key for the host/fqdn principal which is the same as for
HTTP/fqdn. I usually use msktutil and create a second AD entry
1 - 100 of 550 matches
Mail list logo